Is there a reason you broadened the scope of this question? The first question was a good answerable one, as of this revision it's too broad.
–
Ben BrockaApr 10 '12 at 14:51

@John: The original question looked better than the current one ... it is now on the way to "non constructive" (as in "give me a list of all attacks"). Is there something missing in the original question which caused you to remove the "chosen ciphertext" part?
–
Paŭlo Ebermann♦Apr 10 '12 at 15:54

I thought it would be better in terms of searchability. Should I revert back to the original question?
–
user1829Apr 10 '12 at 16:02

1

I think, using "any" instead of "chosen ciphertext" will not improve searchability, except in the rare case that someone searches for the precise phrase in the title (and puts quotation marks). I changed the the title to be a question, reworded the text to ask what I think you actually wanted to ask for, and put some relevant tags ("security" isn't, sorry). Please check that I didn't go overboard with it, and feel free to edit again.
–
Paŭlo Ebermann♦Apr 10 '12 at 16:51

2 Answers
2

Slight revision based on Paulo's remark in the comments - in a public key system a chosen plaintext attack is pretty much part of the design - arbitrary plaintexts can be encrypted to produce ciphertexts at will - by design, however, these shouldn't give any information that will allow you to deduce the private key.

A chosen ciphertext attack can be used with careful selection of the plaintext, however, to perform an attack - it's actually fairly straightforward on textbook RSA. Firstly, we have a piece of ciphertext we'll denote by:

$$C = t^e \mod n$$
Which is RSA as we know and love. Now, Eve has $C$ - this is perfectly ordinary, since Eve is supposed to be able to see $C$. Now eve has the ability to chose a plaintext - so, she choses $2$ as her plaintext and computes $C_a = 2^e \mod n$. However, to our unsuspecting victim she sends $C_b = C_a * C$, so:

$$C_b = C\cdot 2^e = t^e 2^e\mod n$$

All good so far. Now since this is a chosen plaintext attack we're reliant on having access to the decryption of our substituted value - so now the unsuspecting victim computes:

$$(C_b)^d = [t^e 2^e]^d = t^{ed}2^{ed} = 2t \mod n$$

When we get that value back, we can quite easily compute $t$. We simply need to half it.

This can actually apply for any plaintext we wish to chose - I simply chose $2$ because I like it as a number. This paper covers the general technique and a lot more.

This only applies to textbook RSA. The proper application of RSA in the wild involves the use of padding schemes which defeat this attack by ensuring the ciphertext is not malleable in this way.

Wouldn't this be a chosen ciphertext attack instead of a chosen plaintext one? For asymmetric encryption being able to do a chosen plaintext attack (i.e. encrypting using the public key) is always given, but retrieving the decryption of a chosen ciphertext (whether it comes from some known plaintext or something else) is called a chosen ciphertext attack.
–
Paŭlo Ebermann♦Apr 10 '12 at 16:56

Link only answers are not typically well received here. While the paper is a very good one, you should consider expanding by talking about what information the paper presents that is specifically related to the question.
–
mikeazo♦Aug 22 '14 at 11:53